Outbreak Alert: Earth Lamia APT Attack

Ajose · ‎06-01-2025

FortiRecon Digital Risk Protection (DRP), a SaaS-based service, includes External Attack Surface Management, Brand Protection, and Adversary Centric Intelligence. Adversary Centric Intelligence (ACI): leverages FortiGuard Threat Analysis to provide comprehensive coverage of dark web, open-source, and technical threat intelligence, including threat actor insights to enable organizations to respond proactively assess risks, respond faster to incidents, better understand their attackers, and guard assets. The Vulnerability Intelligence Module under Adversary Centric Intelligence (ACI) provides a realistic view of the impact of the vulnerability based upon chatter and discussion of the same across various external sources such as Darkweb, social media, News / Blogs etc.
CVE ID	CVE-2024-51378
CVE Title	CyberPanel Incorrect Default Permissions Vulnerability
NVD Severity	CRITICAL
FortiRecon Severity	CRITICAL
FortiRecon Score	96/100
Epss Score	0.93956
Exploited	Yes
Exploited by Ransomware Group(s)	No
Exploited by APT Group(s)	Yes (Earth Lamia)
Included in CISA KEV List	Yes
Available working exploit(s)	2
Available POC exploit(s)	3
Darknet Mention(s)	1 (breachforums)
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	1 (Darknet), 1 (Technical Intelligence), 2 (OSINT), 1 (FortiGuard Research)
Vendor Advisory:	https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/ https://cyberpanel.net/KnowledgeBase/home/change-logs/ https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683 https://cwe.mitre.org/data/definitions/420.html https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel https://cwe.mitre.org/data/definitions/78.html https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberp...

CVE ID	CVE-2024-27199
CVE Title	In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform...
NVD Severity	HIGH
FortiRecon Severity	CRITICAL
FortiRecon Score	90/100
Epss Score	0.94501
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (Jasmin Ransomware Operators)
Exploited by APT Group(s)	Yes (Earth Lamia)
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	0
Darknet Mention(s)	3 (ramp, xss)
Telegram Mention(s)	4 (Freedom F0x, مرکز تحقیقاتی APT IRAN, SILENT CYBER FORCE, ARVIN)
FortiRecon Intelligence Reporting(s)	3 (OSINT), 2 (Technical Intelligence), 4 (FortiGuard Research)
Vendor Advisory:	https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway... https://www.jetbrains.com/privacy-security/issues-fixed/

CVE ID	CVE-2024-27198
CVE Title	JetBrains TeamCity Authentication Bypass Vulnerability
NVD Severity	CRITICAL
FortiRecon Severity	CRITICAL
FortiRecon Score	92/100
Epss Score	0.94579
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (BianLian Ransomware Operators, Black Basta Ransomware Group, Jasmin Ransomware Operators)
Exploited by APT Group(s)	Yes (Earth Lamia)
Included in CISA KEV List	Yes
Available working exploit(s)	2
Available POC exploit(s)	15
Darknet Mention(s)	21 (breachforums, exploit, xss, ramp)
Telegram Mention(s)	5 (ARVIN, SILENT CYBER FORCE, مرکز تحقیقاتی APT IRAN, Hunt3r Kill3rs \| Охотники-убийцы, Freedom F0x)
FortiRecon Intelligence Reporting(s)	9 (OSINT), 3 (Darknet), 3 (Technical Intelligence), 14 (FortiGuard Research)
Vendor Advisory:	https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway... https://www.jetbrains.com/privacy-security/issues-fixed/

CVE ID	CVE-2021-22205
CVE Title	GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
NVD Severity	CRITICAL
FortiRecon Severity	CRITICAL
FortiRecon Score	92/100
Epss Score	0.94479
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (Wazawaka, Cerber Ransomware)
Exploited by APT Group(s)	Yes (Earth Lusca, Earth Lamia)
Included in CISA KEV List	Yes
Available working exploit(s)	3
Available POC exploit(s)	32
Darknet Mention(s)	1 (90sec)
Telegram Mention(s)	2 (Freedom F0x)
FortiRecon Intelligence Reporting(s)	12 (Technical Intelligence), 4 (OSINT), 11 (FortiGuard Research)
Vendor Advisory:	https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json https://hackerone.com/reports/1154542 https://gitlab.com/gitlab-org/gitlab/-/issues/327121 http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection... http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html

CVE ID	CVE-2017-9805
CVE Title	Apache Struts Deserialization of Untrusted Data Vulnerability
NVD Severity	HIGH
FortiRecon Severity	CRITICAL
FortiRecon Score	92/100
Epss Score	0.9439
Exploited	Yes
Exploited by Ransomware Group(s)	No
Exploited by APT Group(s)	Yes (Earth Lamia)
Included in CISA KEV List	Yes
Available working exploit(s)	3
Available POC exploit(s)	18
Darknet Mention(s)	2 (xss, 90sec)
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	2 (Technical Intelligence), 2 (OSINT)
Vendor Advisory:	http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html https://security.netapp.com/advisory/ntap-20170907-0001/ https://www.kb.cert.org/vuls/id/112992 https://www.exploit-db.com/exploits/42627/ https://cwiki.apache.org/confluence/display/WW/S2-052 https://lgtm.com/blog/apache_struts_CVE-2017-9805 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 http://www.securityfocus.com/bid/100609 https://bugzilla.redhat.com/show_bug.cgi?id=1488482 https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax https://struts.apache.org/docs/s2-052.html http://www.securitytracker.com/id/1039263

CVE ID	CVE-2025-31324
CVE Title	SAP NetWeaver Unrestricted File Upload Vulnerability
NVD Severity	CRITICAL
FortiRecon Severity	CRITICAL
FortiRecon Score	95/100
Epss Score	0.79541
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (Qilin ransomware Operators)
Exploited by APT Group(s)	Yes (Earth Lamia, UNC5221)
Included in CISA KEV List	Yes
Available working exploit(s)	0
Available POC exploit(s)	18
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	10 (FortiGuard Research), 8 (OSINT), 5 (Technical Intelligence), 1 (HUMINT)
Vendor Advisory:	https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ https://url.sap/sapsecuritypatchday https://me.sap.com/notes/3594142 https://www.theregister.com/2025/04/25/sap_netweaver_patch/ https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-a...

CVE ID	CVE-2024-9047
CVE Title	Path Traversal Vulnerability in WordPress File Upload plugin
NVD Severity	CRITICAL
FortiRecon Severity	CRITICAL
FortiRecon Score	90/100
Epss Score	0.92609
Exploited	Yes
Exploited by Ransomware Group(s)	No
Exploited by APT Group(s)	Yes (Earth Lamia)
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	5
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	1 (Technical Intelligence)
Vendor Advisory:	https://www.wordfence.com/threat-intel/vulnerabilities/id/554a314c-9e8e-4691-9792-d086790ef40f?sourc... https://plugins.trac.wordpress.org/changeset/3164449/wp-file-upload

CVE ID	CVE-2024-56145
CVE Title	Code Execution Vulnerability in Craft CMS
NVD Severity	Not Assigned
FortiRecon Severity	CRITICAL
FortiRecon Score	91/100
Epss Score	0.93039
Exploited	Yes
Exploited by Ransomware Group(s)	No
Exploited by APT Group(s)	Yes (Earth Lamia)
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	4
Darknet Mention(s)	0
Telegram Mention(s)	1 (Freedom F0x)
FortiRecon Intelligence Reporting(s)	2 (OSINT), 1 (Technical Intelligence), 1 (FortiGuard Research)
Vendor Advisory:	https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3

CVE ID	CVE-2024-51567
CVE Title	CyberPanel Incorrect Default Permissions Vulnerability
NVD Severity	CRITICAL
FortiRecon Severity	CRITICAL
FortiRecon Score	90/100
Epss Score	0.94261
Exploited	Yes
Exploited by Ransomware Group(s)	No
Exploited by APT Group(s)	Yes (Earth Lamia)
Included in CISA KEV List	Yes
Available working exploit(s)	1
Available POC exploit(s)	3
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	1 (Technical Intelligence), 2 (OSINT), 1 (FortiGuard Research)
Vendor Advisory:	https://cyberpanel.net/KnowledgeBase/home/change-logs/ https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515 https://cwe.mitre.org/data/definitions/420.html https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel https://cwe.mitre.org/data/definitions/78.html https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberp...

Outbreak Alert: Earth Lamia APT Attack

You are leaving our website